-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Sean,
On 2/9/15 9:46 AM, Sean Dawson wrote: > We've had customers who have had issues with Java and GoDaddy > certs. > > http://stackoverflow.com/questions/18746565/godaddy-ssl-cert-not-working-with-java > > > http://tozny.com/blog/godaddys-ssl-certs-dont-work-in-java-the-right-solution/ Did > you read the OP? He's already installed the GoDaddy cross-signed certificate. It's also not a Java client problem, since the client in this case is Google Chrome. - -chris > On Mon, Feb 9, 2015 at 9:30 AM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Nick, > > (The formatting was awful on the message and made it difficult to > read. I've adjusted it to make it readable and reply-able). > > On 2/6/15 2:44 PM, nicksemai...@juno.com wrote: >>>> I have a SHA2 certificate for a RHEL 6 server using tomcat >>>> 7.0.57. > > That's an x509 certificate for SSL/TLS, using a SHA2-based > signature algorithm, right? > >>>> Port 8443 is listening, selinux is disabled, and have tried >>>> it with 8443 enabled in firewall and with firewall off. >>>> >>>> After receiving the .crt file from GoDaddy: ran the 4 >>>> keytool -import commands: >>>> >>>> For the alias=root, I used gdroot-g2.crt(from repository) For >>>> the alias=intermed, I used gd_ig2.crt(from GoDaddy) For the >>>> alias=cross, I used gdroot-g2_cross.crt(from repository) For >>>> the alias= tomcat, I used the <the alphanumeric>.crt(from >>>> GoDaddy) >>>> >>>> I see all the entries when I did the keytool -list > > Good. Everything above looks good, except that you need to make > sure that the certificates you imported were all the correct > ones... thee days, CAs tend to have a variety of intermediate > certificates for various purposes: one for code-signing, one for > European certificates and another for American ones, an old one > with SHA1-based signature, new ones with SHA2-based signatures, > etc. > > Verifying the accuracy of the certificate chain should be a > priority. > >>>> I made this change in server.xml: >>>> >>>> <Connector port="8443" maxThreads="200" SSLEnabled="true" >>>> scheme="https" secure="true" clientAuth="false" >>>> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" >>>> keystoreFile="path to .keystore file" keystorePass="keystore >>>> password" /> >>>> >>>> I then shutdown tomcat; startup tomcat. >>>> >>>> When I go to the URL in the browser with the port 8443, I >>>> get this:Firefox: Cannot communicate securely with peer: no >>>> common encryption algorithm(s). (Error code: >>>> ssl_error_no_cypher_overlap) >>>> >>>> Chrome: A secure connection cannot be established because >>>> this site uses an unsupported protocol.Error code: >>>> ERR_SSL_VERSION_OR_CIPHER_MISMATCH > > What version of Chrome are you using? > > Do you have access to an OpenSSL library? Can you run "openssl > -debug -showcerts s_client -connect https://host:8443/"; and post > the (possibly sanitized) results? > > You could also grab and compile the source of this tool from the > tomcat-dev archives and run it against your server: > http://markmail.org/thread/tz4z44nfjl7sy2lj > > This will tell you what is and is not supported. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJU2M6yAAoJEBzwKT+lPKRYdo8QAKqyY87oXjHy4CkNc3fPjYQH IQMRzFrnH/Dgk2g1eO9WXlJXg+4drjmDtsHpRBsJR17nZaDBz282lgVh4x8OUEhW tK6eagXHHnwhA8HBCCey5f6EfCF7dMR6AbwLkbhTUN7aym4gYMmQM18q2Nt6jxz7 qmtHW5GZ4OscqA6MQ5SVT6FckKR83570WakPQsl64JJwCUbC0uwOL9nU654nckNy hFiSznDugopfIICrmgHoX6HkAx7lChmCmfpexbUsDZkj/xpPriuvPMPu//sZ4zFc euqin0/gDMy76Qr+H0ExHaMKH734vXWgjXTakHg5D/V0C8U4iQEJSBsDWCaXqvDX kA+O2s/mYeiqqPVvA4nZ3JrNUQFgZPvOik8ubyCb2+/p7PLL9Hshikgl+sZ4cAW2 +NfertfDZ483IQKCKN1LKnWZNQ2ofF+jJ1vEoceqV/ybFi8fKipbJ37aU6c7EltL h4zJFv86l/irYzVKweGuszX7xX9DwWUu7YdKx4wIVArncb+wrALx3NXF0bI8pMaC C5sUoM2EBrOIZZkrpPDPdgr5O+XvWEaARd6eDnCDvZ1xjHcQxiHuVrnglzH3LE2L rU6wfg4ZRaX5rMA++yetf4/qYOe+/+YW84zLK3VkL0jWdlldr6/QoActiUquI2OD 7fGjoyFAdo2GcZP1OloD =T8m8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
